[streams][significant events] add severity_score #244764
Conversation
klacabane
added
release_note:skip
|
Pinging @elastic/streams-program-team (Team:streams-program) |
| ### Example 1: Calling `add_queries` with a single query | ||
|
|
||
| `>>> ACTION: add_queries(queries=[{"title": "View all errors", "kql": "error.message:*", "category": "error"}])` | ||
| `>>> ACTION: add_queries(queries=[{"title": "View all errors", "kql": "error.message:*", "category": "error", "severity_score": 60}])` |
There was a problem hiding this comment.
Should we go from 0.0 - 1.0 or from 0 to 100?
There was a problem hiding this comment.
we discussed offline and will go with 0-100 to align with anomaly detection scoring
There was a problem hiding this comment.
++, lets also document this somewhere in the code.
…atus --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/streams --include-path /api/fleet --include-path /api/saved_objects/_import --include-path /api/saved_objects/_export --include-path /api/maintenance_window --include-path /api/agent_builder --update
| | `operational` | 30 | -10 expected lifecycle events | | ||
| | `configuration` | 25 | +10 security-related changes | | ||
|
|
||
| **Score ranges:** 80-100 critical, 60-79 high, 40-59 medium, 0-39 low |
There was a problem hiding this comment.
@shahzad31 If we can overload a prompt, means we can overload this scoring in case we need / want to adjust it.
| QueryLink, | ||
| } from '../../../../common/assets'; | ||
| import { QUERY_KQL_BODY, QUERY_FEATURE_FILTER, QUERY_FEATURE_NAME, QUERY_TITLE } from './fields'; | ||
| import { |
There was a problem hiding this comment.
@cesco-f I remember you had a PR to refactor this? Just stumbled over it as it is kind of odd to that we modify the asset client for sig events. But not urgent.
|
What happens to existing sig events queries that don't have the score yet? Is it just 0? |
elastic-vault-github-plugin-prod
bot
requested a review
from a team
as a code owner
@ruflin the score is currently optional so it won't be defined for existing queries as it sounds difficult to provide a correct backfill default, but if we want to I'd be more inclined to set something in the 50-70 range than 0 |
|
Having the score optional is great. Lets keep it that way. |
There was a problem hiding this comment.
Pull request overview
This PR adds a severity_score field to AI-generated queries in the streams significant events system. The severity score is a numeric value (0-100) that indicates the criticality of events matched by each query.
Key changes:
- Added
severity_scoreas an optional numeric field to query schemas and storage - Updated AI prompt system to include severity scoring guidelines with category-based baselines
- Modified data flow to propagate severity scores through the generation and storage pipeline
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
x-pack/platform/plugins/shared/streams/server/lib/streams/assets/fields.ts |
Defines new QUERY_SEVERITY_SCORE field constant |
x-pack/platform/plugins/shared/streams/server/lib/streams/assets/storage_settings.ts |
Adds severity_score as a long type field in storage schema |
x-pack/platform/plugins/shared/streams/server/lib/streams/assets/asset_client.ts |
Updates storage/retrieval logic to handle severity_score in query links |
x-pack/platform/plugins/shared/streams/server/lib/significant_events/read_significant_events_from_alerts_indices.ts |
Propagates severity_score to significant events returned from alerts |
x-pack/platform/plugins/shared/streams/server/lib/significant_events/generate_significant_events.ts |
Includes severity_score when generating event definitions |
x-pack/platform/packages/shared/kbn-streams-schema/src/queries/index.ts |
Adds optional severity_score field to query schema and validation |
x-pack/platform/packages/shared/kbn-streams-schema/src/api/significant_events/index.ts |
Makes severity_score required in generated event query interface |
x-pack/platform/packages/shared/kbn-streams-ai/src/significant_events/system_prompt.text |
Documents severity scoring system with category baselines and modifiers |
x-pack/platform/packages/shared/kbn-streams-ai/src/significant_events/prompt.ts |
Adds severity_score as required numeric field (0-100) in AI tool schema |
x-pack/platform/packages/shared/kbn-streams-ai/src/significant_events/generate_significant_events.ts |
Includes severity_score in Query interface |
oas_docs/output/kibana.yaml |
Updates OpenAPI spec with severity_score field |
oas_docs/output/kibana.serverless.yaml |
Updates serverless OpenAPI spec with severity_score field |
oas_docs/bundle.serverless.json |
Updates serverless API bundle with severity_score |
oas_docs/bundle.json |
Updates API bundle with severity_score |
| filter: Condition; | ||
| type: string; | ||
| }; | ||
| severity_score: number; |
There was a problem hiding this comment.
The severity_score field is required in GeneratedSignificantEventQuery but optional in the schema definitions (streamQueryKqlSchema and upsertStreamQueryRequestSchema). This inconsistency could cause runtime errors when queries without severity_score are processed. Consider making this field optional here as well, or ensure it's always provided during generation.
| severity_score: number; | |
| severity_score?: number; |
| }, | ||
| }, | ||
| required: ['kql', 'title', 'category'], | ||
| required: ['kql', 'title', 'category', 'severity_score'], |
There was a problem hiding this comment.
The AI prompt marks severity_score as required in the tool schema, but the data schema in kbn-streams-schema defines it as optional. This mismatch could cause issues if non-AI code paths create queries without severity scores. Align the requirement status across the codebase or add validation to handle missing values.
| required: ['kql', 'title', 'category', 'severity_score'], | |
| required: ['kql', 'title', 'category'], |
There was a problem hiding this comment.
This is on purpose. existing queries do not have a score and we chose not to backfill that value
miltonhultgren
left a comment
miltonhultgren
left a comment
There was a problem hiding this comment.
LGTM, tested locally and see the API respond as expected, UI not updated yet.
Also, more insight will likely come as we start looking at the evaluations for these prompts!
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Async chunks
|
## Summary Add a `severity_score` to the queries generated by AI --------- Co-authored-by: kibanamachine <[email protected]>
6 participants
Summary
Add a
severity_scoreto the queries generated by AI